HomeNews2014
Five key capabilities for gaining visibility and control over your handheld computers and mobile devices

Share this article

Secure your data

Sign up to the Gameplan newsletter to keep up-to-date with the latest security industry news.

2014 Articles

2014

Five key capabilities for gaining visibility and control over your handheld computers and mobile devices

Successfully managing the mobility and diversity of your enterprise’s computing platforms, network connectivity, applications and data, whilst also balancing the needs of multiple departments, personnel and business functions, means that your organisation needs to have a greater degree of integration, visibility and control over its mobile devices.

Business context: becoming the master of your own domain

Mobility has rapidly become a fact of life for your typical end user. Moreover, the blend of personal and professional use of mobile devices has become the norm. On the one hand, mobility and “anywhere, anytime” access makes life easier for users and that means greater flexibility and productivity in the field for the organisation.

But on the other hand, it means security risks to your IT infrastructure and mission-critical data - security risks that often are not recognised or are ill-ignored. Not to mention the greater complexity and higher cost of management of the infrastructure that comes with those risks.

The new diversity and complexity of the typical enterprise IT infrastructure today inhibits the protection and management of mobile devices and, for many large organisations, those challenges are magnified by other IP-enabled devices joining the corporate network ranging from network printers to video surveillance cameras and industry-specific handheld devices in industries as diverse as healthcare, transportation, field service and retail.

Understandably, this diversity - and the turnover - of devices that need to be supported and the resulting chaos of platforms, network connectivity, applications and myriad data storage points bring additional problems for control, cost and, perhaps most importantly, security.

Multiple users, different needs

One of the biggest challenges for your IT security is that the different stakeholders, personnel and departments in your enterprise have clearly different objectives, needs and points of view:

Your end-users want convenient, reliable access to the data and the applications that they need to carry out their day-to-day business activities. Added to that, they also expect the same level of access and convenience for their personal activities too. Often they want you to support the devices that they personally own and yet want to be able to install their favourite personal applications and store data that is important to them in a non-business context, even if that data or those applications are from untrusted, consumer-oriented sources.

They are also unaware of the security issues they represent and the risks that they expose your IT infrastructure and thus, the enterprise, as well as the risks that they are taking with their personal information and privacy.

Your business leaders look to your IT department to support the objectives of the enterprise. Often these involve increasing productivity, enabling collaboration, improving convenience and work flexibility. In an ideal world, these objectives consider not only strategy, cost and compliance but also increased risk. In that same world, they are expressed as clear, consistent policies. But in the real world, they tend to give highest priority to competitive agility, time to market and profit and not to security and risk.

Your auditors want you to produce evidence that the right end users have the right levels of access to the right applications and the most pertinent data, and all at the right times. They want to see proof that due care has been taken to manage security risks as well as to address regulatory requirements for compliance, such as Data Protection.

Your department, of course, aims to protect the enterprise but must also manage, and continue to simplify the management of, the increasingly complex IT infrastructure. Increasingly, you’re dealing not only with more end users, more applications, more networks, more providers and more data, but also with more risk. Your biggest challenge is to maintain security and maintain compliance all the while supporting more and more complexity and larger and larger scale, all at ever reducing budgets.

What and who is on your network? The five key questions

Successfully managing the mobility of your enterprise’s computing platforms, network connectivity, applications and data whilst balancing the needs of all these different stakeholders, departments and personnel requires you to have a greater degree of integration, visibility and control over the network devices, mobile devices and end users that you must manage.

The capabilities that you need for success in this dynamic, chaotic environment can be encapsulated in your ability to answer these five key questions:

What devices are on the network? This includes all network devices including routers, switches, access points and any other infrastructure that allows both wired and wireless access to the network, such as personal computers, laptops, smartphones, handhelds, PDAs and mobile phones.

Which end users are connected to the network? Consider employees, part-time staff, temporary or contract staff, enterprise partners and customers.

Before they connect, are the devices and end users compliant with the policies we already have in place? This includes policies such as access methods (e.g., wired, wireless, VPN, web, intranet, extranet, etc.), access privileges (group, role, time of day) and access context (device authentication, standard configs, device health based on security and virus scans).

After they connect, do the devices maintain compliance with those policies? Most enterprises know that compliance is not a one-time event, but is an ongoing process. You could ask if any enterprise responsible for a large IT infrastructure is compliant and the truthful answer often would be “We were on Wednesday at 4pm, but who knows what’s happened since then or where things may have drifted?”. An IT infrastructure designed for sustainable, continuous compliance includes streamlining process for management, audit and reporting.

Do we have visibility across the enterprise into the status of every network device, mobile device and end user? Do we have a common management view of all the relevant information and events and do we have the ability to automate the enforcement of our policies? As mobility and complexity increases, the importance of knowing this information goes beyond simple security reporting and compliance to satisfy the auditors to providing the business leaders with visibility and insight into the services that support the enterprise’s mission-critical activities.

There is no simple answer to the complex problems faced by enterprises today. The best approach is one that is methodical and that does not attempt to “run before it can walk”. Elements of such an approach include:

Identify and discover all network devices: Start with the devices that make up the enterprise network infrastructure, wired and wireless that enable network access. Then move to identifying and discovering all IP devices connecting to those. For the most part, this includes traditional systems and mobile devices, but can also include a wide range of other IP-connected devices as mentioned above.

Establish consistent policies: Prioritise security control objectives as a function of risk, audit and compliance requirements. Not all resources are worth the same level of management and protection so give priority to those resources that have the greatest impact on your stakeholders and the business.

Assign clear ownership and accountability: Ownership and accountability should belong to a cross-functional team headed by someone at executive level to achieve the best results.